diff --git a/modules/services/networking/openvpn.nix b/modules/services/networking/openvpn.nix index b02f18e6b281..78873db67faa 100644 --- a/modules/services/networking/openvpn.nix +++ b/modules/services/networking/openvpn.nix @@ -10,29 +10,29 @@ let PATH = "${pkgs.iptables}/sbin:${pkgs.coreutils}/bin:${pkgs.iproute}/sbin:${pkgs.nettools}/sbin"; - makeOpenVPNJob = cfg : + makeOpenVPNJob = cfg : name: let upScript = '' #!/bin/sh - exec &> /var/log/openvpn-${cfg.id}-up + exec &> /var/log/openvpn-${name}-up PATH=${PATH} ${cfg.up} ''; downScript = '' #!/bin/sh - exec &> /var/log/openvpn-${cfg.id}-down + exec &> /var/log/openvpn-${name}-down PATH=${PATH} ${cfg.down} ''; - configFile = pkgs.writeText "openvpn-config-${cfg.id}" + configFile = pkgs.writeText "openvpn-config-${name}" '' - ${if cfg ? up || cfg ? down then "script-security 2" else ""} + ${if cfg.up != "" || cfg.down != "" then "script-security 2" else ""} ${cfg.config} - ${if cfg ? up then "up ${pkgs.writeScript "openvpn-${cfg.id}-up" upScript}" else "" } - ${if cfg ? down then "down ${pkgs.writeScript "openvpn-${cfg.id}-down" downScript}" else "" } + ${if cfg.up != "" then "up ${pkgs.writeScript "openvpn-${name}-up" upScript}" else "" } + ${if cfg.down != "" then "down ${pkgs.writeScript "openvpn-${name}-down" downScript}" else "" } ''; in { - description = "OpenVPN-${cfg.id}"; + description = "OpenVPN-${name}"; startOn = "network-interfaces/started"; stopOn = "network-interfaces/stop"; @@ -41,12 +41,39 @@ let script = '' - exec &> /var/log/openvpn-${cfg.id} + exec &> /var/log/openvpn-${name} ${config.system.sbin.modprobe} tun || true ${openvpn}/sbin/openvpn --config ${configFile} ''; }; + openvpnInstanceOptions = { + + config = mkOption { + type = types.string; + description = '' + config of this openvpn instance + ''; + }; + up = mkOption { + default = ""; + type = types.string; + description = '' + script which is run when server instance starts up succesfully. + Use it to setup firewall and routing + ''; + }; + down = mkOption { + default = ""; + type = types.string; + description = '' + script which is run when server instance shuts down + Usually this reverts what up has done + ''; + }; + + }; + in { @@ -62,56 +89,64 @@ in description = "Whether to enable OpenVPN."; }; + servers = mkOption { - example = [ - { - id = "server-simplest"; - config = '' - # Most simple configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. - # server : - dev tun - ifconfig 10.8.0.1 10.8.0.2 - secret static.key - ''; - up = "ip route add ..!"; - down = "ip route add ..!"; - } - { - id = "client-simplest"; - config = '' - #client: - #remote myremote.mydomain - #dev tun - #ifconfig 10.8.0.2 10.8.0.1 - #secret static.key - ''; - } - { - id = "server-scalable"; - config = '' - multiple clienst - see example file found in http://openvpn.net/index.php/documentation/howto.html - ''; - } - { - id = "client-scalabe"; - config = '' dito ''; - } - ]; - default = []; + + default = {}; + + example = { + mostSimple = { + config = '' + # Most simple configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. + # server : + dev tun + ifconfig 10.8.0.1 10.8.0.2 + secret static.key + ''; + up = "ip route add ..!"; + down = "ip route add ..!"; + }; + clientMostSimple = { + config = '' + #client: + #remote myremote.mydomain + #dev tun + #ifconfig 10.8.0.2 10.8.0.1 + #secret static.key + ''; + }; + serverScalable = { + config = '' + multiple clienst + see example file found in http://openvpn.net/index.php/documentation/howto.html + ''; + }; + }; + # !!! clean up this description please description = '' - openvpn instances to be run. Each will be put into an extra job named openvpn-{id} + You can define multiple openvpn instances. - The up and down properties will be added config line up=/nix/store/xxx-up-script - automatically for you. If you define at least one of up/down - "script-security 2" will be prepended to your config. + The id of an instance is given by the attribute name. - Don't forget to check that the all package sizes can be sent. if scp hangs or such you should set - --fragment XXX --mssfix YYY. + Each instance will result in a new job file. + + Additionally you can specify the up/ down scripts by setting + the up down properties. + Config lines up=/nix/store/xxx-up-script down=... + will be appended to your configuration file automatically + + If you define at least one of up/down "script-security 2" will be + prepended to your config otherwise you scripts aren't run by openvpn + + Don't forget to check that the all package sizes can be sent. For + examlpe if scp hangs you should set --fragment XXX --mssfix YYY. ''; + + type = types.attrsOf types.optionSet; + options = [ openvpnInstanceOptions ]; }; - + }; }; @@ -120,9 +155,7 @@ in ###### implementation config = mkIf cfg.enable { - - jobs = listToAttrs (map (c: nameValuePair "openvpn-${cfg.id}" (makeOpenVPNJob c)) cfg.servers); - + jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers); }; }